Posts

“Trust in God and do good, dwell in the land and feed off faith” ( Psalms 37:3 ).

God controls everything
Everything in the entire universe is under God’s control. This includes everything that happens to you personally, both spiritually and materially, including what you yourself do, whether deliberately or unwittingly, wilfully or under compulsion: everything is from God. Even when appearances suggest otherwise, the believer pays attention not to the external appearance of this world but to the underlying truth.

Freedom
Everything we do is ultimately controlled by God, though this is concealed from us by our egos, which make us think we are separate from and independent of God. We were created like this to give us free will. This way we are able to turn to God of our own volition and discover for ourselves that God controls all things, including our own thoughts, feelings and actions.

Action
Even though all things in the spiritual and material realms are in God’s hands, we are not supposed to wait for God to do everything. The universe is so arranged that we have freedom of action in many areas. When we act, whether it be to make a living or to attend to any of our other needs, we must understand that, while it is up to us to take the initiative and act as if everything is in our hands, in fact all things ultimately depend upon God. No matter what we feel we ought to do, whether in our spiritual or material lives, our first step should always be to ask God to guide us and bless our efforts with success.

Reverses
When things appear to turn out badly for us, we have to accept that this is God’s will and that whatever happens is for the best. Even when things go wrong because of something we ourselves may have thought, said or done, we must accept that this too is from God. Other people are also free agents, yet everything they do is ultimately controlled by God. If someone insults you or in some way harms you, know that this has been sent by God as a way to cleanse your soul. If things go against you, be patient. When you accept everything as God’s will, this causes the veil of concealment to be removed, thus manifesting God’s control over all creation.

Growth
Your spiritual growth is also under God’s control. Even if you feel a desire to grow in a specific area, as long as you are not ready to achieve what you want, things will be arranged in such a way as to hold you back – either by external obstacles or through some idea that becomes implanted in your own mind to prevent you from reaching your goal. This does not mean that God is rejecting you. He knows that in the long run this will be the best way to bring you to the ultimate good. The purpose of holding you back is to prompt you to cry out and pray to God to help you rise from your current level and bring you nearer your true goal.

Revelation and guidance
Since God is everywhere and in all things, everything we experience is actually a communication from God. This includes our inner thoughts and feelings. Even negative thoughts and feelings – heaviness, lack of enthusiasm, depression and the like – are from God. Everything you hear, see, or experience in life, whether from people you know or from complete strangers, is a call to you from God. Even unclear or contradictory messages are sent with a purpose: to give us choice and free will in order to test us. The way to sort out which messages we should follow and which we should ignore is by evaluating everything in the light of Torah teaching.

The Wise Man-Tzaddik
Faith in God includes faith in the Tzaddikim whom God sends into this world to teach us how to transcend our lowly state and fulfil l our spiritual destiny. Not only must we accept that God gave the Torah to Moses on Sinai; we must also acknowledge that God sends wise men in every age to lift us out of our exile and teach us the true path in life.

Maimonides defines eight levels in giving charity (tzedakah), each one higher than the preceding one.

On an ascending level, they are as follows:

8. When donations are given grudgingly.
7. When one gives less than he should, but does so cheerfully.
6. When one gives directly to the poor upon being asked.
5. When one gives directly to the poor without being asked.
4. Donations when the recipient is aware of the donor’s identity, but the donor still doesn’t know the specific identity of the recipient.
3. Donations when the donor is aware to whom the charity is being given, but the recipient is unaware of the source.
2. Giving assistance in such a way that the giver and recipient are unknown to each other. Communal funds, administered by responsible people are also in this category.
1. The highest form of charity is to help sustain a person before they become impoverished by offering a substantial gift in a dignified manner, or by extending a suitable loan, or by helping them find employment or establish themselves in business so as to make it unnecessary for them to become dependent on others.

Based on the Thirteen Principles of Faith formulated by the Rambam in his Commentary on the Mishnah (tractate Sanhedrin 10:1).

I believe with complete faith that the Creator, blessed be His name, is the Creator and Guide of all the created beings, and that He alone has made, does make, and will make all things.

I believe with complete faith that the Creator, blessed be His name, is One and Alone; that there is no oneness in any way like Him; and that He alone is our G-d – was, is and will be.

I believe with complete faith that the Creator, blessed be His name, is incorporeal; that He is free from all anthropomorphic properties; and that He has no likeness at all.

I believe with complete faith that the Creator, blessed be His name, is the first and the last.

I believe with complete faith that the Creator, blessed be His name, is the only one to whom it is proper to pray, and that it is inappropriate to pray to anyone else.

I believe with complete faith that all the words of the Prophets are true.

I believe with complete faith that the prophecy of Moses our teacher, peace unto him, was true; and that he was the father of the prophets, both of those who preceded and of those who followed him.

I believe with complete faith that the whole Torah which we now possess was given to Moses, our teacher, peace unto him.

I believe with complete faith that this Torah will not be changed, and that there will be no other Torah given by the Creator, blessed be His name.

I believe with complete faith that the Creator, blessed be His name, knows all the deeds and thoughts of human beings, as it is said, “It is He who fashions the hearts of them all, He who perceives all their actions.” (Psalms 33:15).

I believe with complete faith that the Creator, blessed be His name, rewards those who observe His commandments, and punishes those who transgress His commandments.

I believe with complete faith in the coming of Moshiach, and although he may tarry, nevertheless, I wait every day for him to come.

I believe with complete faith that there will be resurrection of the dead at the time when it will be the will of the Creator, blessed be His name and exalted be His remembrance forever and ever.

The foundation of all foundations [and basic principles of the Torah] and the pillar of all wisdom is to know that there is a First Being Who brings every existing thing into being. All existing things – in heaven, on earth and what is between them – come into being only from His true existence.

If it should enter one’s mind that He does not exist – no other thing could have any existence.

A password policy is a common part of every companies overall security policy. Most password policies are set in stone, and have been essentially unchanged over the past twenty years. We think of the ideal password as a random collection of letters, numbers and random characters. Common password policies often include rules such as:

Both upper case and lower case numbers are required.

At least one number and one special character.

A minimum length of 8 characters (and often a maximum length is set).

A prohibition against certain rules or sequences of characters.

No personal information (i.e.. cannot use ones first or last name).

Cannot repeat the previous dozen passwords.

Password must be changed every 90 days.

These are all pretty standard and have the desired effect of forcing fairly complex passwords. After all the more complex the password is the more secure it is, right? Or do they? Let’s look at two examples.
1. Super.001 – This password meets all the requirements above. It has the advantage of being very easy to remember, Has four different character types, etc. Most people would be able to remember this password without much effort, which is ideal. But, it is a password that is subject to one very serious issue, predictability. That is to say, the users next password is going to be Super.002 and then Super.003 and so on. While they all meet the complexity requirements of the aforementioned rule set, they are a serious breach of ideal information security since knowing one password makes it real easy to guess the next iteration of the same users password.
2. $%thIn25b – This password also meets all of the above requirements. But has a few disadvantages. First is that the human brain is simply not wired to remember passwords like this which means most people will have to write it down. Which means post-it notes on monitors, tape strips underneath keyboards or on the back of badges, etc. Because of it’s complexity, it also means the user is far more likely to suffer an increase in the number of lock-outs they experience (decreasing the employees productivity) which in turn increases the workload for IT help desk. One other consideration not often mentioned, is that a more complex password often means slower, finger picking at the keyboard, which in turn might make it easier for shoulder surfers to pick out passwords.

Before going too far, we need to understand a little about how passwords work in a corporate environment. The first thing that we need to understand is that passwords are not stored in plaintext. That is to say, we can not view the password in any way once it is passed to the system. For example, if you are storing all your personal passwords in an Excel file (a common, but very bad habit), you are storing your passwords in plaintext. Anyone who opens the Excel file can read and copy your passwords. But within a computer network, passwords are not stored that way, rather they are stored and passed as hashes. A hash is the result of passing a password through a mathematical formula that takes a password and turns it into a fixed length set of characters. For example, the SHA1 hash of the aforementioned Super.001 is “b61bcff38b1a464aedc8261afb8211a7a67eaa07” and that is what Windows sees and uses. Now, you might think that changing Super.001 to something very close like Super.002 would result in a hash that is very close to the other but in fact you end up with a very different set of numbers and letters. In this case Super.002 becomes: 020ad20ab24b29118d1fc2ce391dd18fe41b3000. Notice the radical difference between the two. This is the result of a mathematical concept called entropy, and entropy is one of the most important concepts to understand when considering passwords. Basically, entropy is how much change results in the final hash value based on extremely small changes in the original plaintext value. This is important because the more entropy you introduce into the hash, the further away from the original value you get, the more difficult it becomes to decrypt the hash.

Now, without getting into the mathematics of password entropy, which quite honestly is beyond me, I can say that password length is far more important than password complexity. A concept which even the most casual Google search will confirm. In fact, there is some significant mathematical evidence that increased complexity actually decreases password strength. What this means basically is that complex passwords don’t matter, long passwords do.

There is some really interesting history around the development of the password rules that we are so used to, but in essence they were made up, rushed through to get published in a federal specification with no evidence to back them up. But they have been used for so long that we don’t question them. However over the past two years or so, a lot of work has gone into rethinking passwords, and that research has ended up producing a whole new set of standards that the federal government has now published, and is slowly being adopted through out the country. It should be noted that even our infamous three-letter agencies are in agreement with these new standards. In fact, as part of the FIPS program, agencies that do business with the federal government are required to implement these new standards which are published in NIST SP 800-171.

So what do these new standards say:

Get rid of the password change requirements. Passwords should not be required to change or expire based on a specific time frame. Instead, passwords should only be changed if they have been forgotten or compromised.

No more complexity requirements. Password owners should not be forced to use convoluted and overly complex combinations of letters, numbers and special characters to create their passwords.

Require longer passwords, a minimum of 8-12 characters and maximum sizes should be moved up to 64 characters or even more.

Consider not using passwords and moving instead to a passphrase. A passphrase is a sentence or combination of words, such as the line of a poem or song, that is easier to remember.

Implement screening against known lists of bad or common passwords.

Eliminate the use of password hints and security questions that are based on specific knowledge points (such as your high school mascot or mothers maiden name).

Ultimately, these new standards are about favoring the end user. It means less time trying to remember new passwords, lost productivity due to expired or forgotten passwords. And fewer passwords left laying around on post-it notes. The end user should not suffer because software writers are to lazy to handle passwords properly.

A few other items of note is that software systems really should be using 2 Factor Authentication, there simply is no excuse not to anymore, and SMS is not a secure 2FA method.

Today I wanted to take a few minutes to look at the headers on a particularly suspicious email I received, and it took me a few minutes to find them, since I had never done it on a Mac before. So I threw together a quick guide.

In the email list pane, right click on the email that you want to view information about.

In the context menu select “View Source” which is almost at the bottom of the pop-up window.

You will then get another window that opens and shows the header, the MIME info, and the body of the email. Easy enough.

Standard DoD 5220.22-M, US DoD 5220.22-M (ECE)

US Department of Defense in the clearing and sanitizing standard DoD 5220.22-M recommends the approach “Overwrite all addressable locations with a character, its complement, then a random character and verify” (see table with comments) for clearing and sanitizing information on a writable media.

US Department of Defense 5220.22-M Clearing and Sanitization Matrix

Media

Clear

Sanitize

Magnetic Tape1

Type I

a or b

a, b, or m

Type II

a or b

b or m

Type III

a or b

m

Magnetic Disk

Bernoullis

a, b, or c

m

Floppies

a, b, or c

m

Non-Removable Rigid Disk

c

a, b, d , or m

Removable Rigid Disk

a, b, or c

a, b, d , or m

Optical Disk

Read Many, Write Many

c

m

Read Only

m, n

Write Once, Read Many (Worm)

m, n

Memory

Dynamic Random Access memory (DRAM)

c or g

c, g, or m

Electronically Alterable PROM (EAPROM)

i

j or m

Electronically Erasable PROM (EEPROM)

i

h or m

Erasable Programmable (ROM (EPROM)

k

l, then c, or m

Flash EPROM (FEPROM)

i

c then i, or m

Programmable ROM (PROM)

c

m

Magnetic Bubble Memory

c

a, b, c, or m

Magnetic Core Memory

c

a, b, e, or m

Magnetic Plated Wire

c

c and f, or m

Magnetic Resistive Memory

c

m

Nonvolatile RAM (NOVRAM)

c or g

c, g, or m

Read Only Memory ROM

m

Static Random Access Memory (SRAM)

c or g

c and f, g, or m

Equipment

Cathode Ray Tube (CRT)

g

q

Printers

Impact

g

p then g

Laser

g

o then g

US Department of Defense 5220.22-M Clearing and Sanitization Matrix

a. Degauss with a Type I degausser

b. Degauss with a Type II degausser.

c. Overwrite all addressable locations with a single character.

d. Overwrite all addressable locations with a character, its complement, then a random character and verify. THIS METHOD IS NOT APPROVED FOR SANITIZING MEDIA THAT CONTAINS TOP SECRET INFORMATION.

e. Overwrite all addressable locations with a character, its complement, then a random character.

f. Each overwrite must reside in memory for a period longer than the classified data resided.

g. Remove all power to include battery power.

h. Overwrite all locations with a random pattern, all locations with binary zeros, all locations with binary ones.

i. Perform a full chip erase as per manufacturer’s data sheets.

j. Perform i above, then c above, a total of three times.

k. Perform an ultraviolet erase according to manufacturer’s recommendation.

l. Perform k above, but increase time by a factor of three.

m. Destroy – Disintegrate, incinerate, pulverize, shred, or melt.

n. Destruction required only if classified information is contained.

o. Run five pages of unclassified text (font test acceptable).

p. Ribbons must be destroyed. Platens must be cleaned.

q. Inspect and/or test screen surface for evidence of burned-in information. If present, the cathode ray tube must be destroyed.

Most of us in Western countries lead very insular lives. We understand, on an intellectual level, that not everyone has the same standard of living or access to technology that we do, but fail to really comprehend what that means. We also may fail to understand exactly how other people, other societies and cultures, interact with the technology that is available to them. This insulated perspective can have numerous repercussions for people who live and breathe technology, specifically for those people who work in the Information Technology field.

Information Technology is no longer a local field of employment or study. It is almost impossible to work at any level within the IT field and not have a global presence to some degree. And it is becoming more and more vital that we learn to interact as global citizens since the World Wide Web, and the technologies that are associated with it, are breaking boundaries and national borders faster than anything we have ever dreamed of in the past.

Digital Citizenship is a way of looking at our lives – specifically at that point where information technology begins to define our place in the world. Digital citizenship is all about how to be appropriate, responsible, and ethical, within the boundaries of cyberspace. Digital citizenship is the new Emily Post for the Matrix and while it may sound funny, it is absolutely crucial to today’s marketplace and to the economic wellbeing of our companies and countries.

We need to understand that our presence online isn’t the same as the neighborhood presence of a local store. The grocery store on the corner is marketing to a very specific demographic, the people who live within a few miles. No one else in world probably even knows about that store. But build a website, develop an ecommerce shop, and suddenly you are available to everyone everywhere, suddenly you are a global citizen with a digital presence. Now people in England, Oman, or Thailand, can shop your store. You are no longer simply selling to a small community, you are selling to every community. What exactly does this mean for us and what are the implications of digital citizenship?

First, we have to learn to communicate on a global level, and we have to realize that communication is not about talking, it is about sharing ideas. Unfortunately, at this time, I am limited to English so I cannot carry a conversation with anyone unless they happen to speak my language. But that does not stop me from communicating. We can share ideas through the magic of information technology, through the digital sharing of pictures and graphics, through the use of online translators and with the help of a myriad of people who are also online and willing to help facilitate communication. But we have to remember that communication is not occurring between two computers, or two smart phones, but that these are just the devices that are allowing two human beings to interact at a distance. We need to treat our digital communication as if it were a face to face meeting.

Which leads to the discussion of etiquette. You simply cannot treat people differently online, than you would in person. As we spend more and more time immersed in a digital world, it seems as if people are developing these digital personas, masks that they hide behind, and then acting out in the most inappropriate ways. Our failure to grasp the importance of treating other people fairly, with respect, is probably the single biggest obstacle that we face as citizens of a digital world. Perhaps we really do need an Emily Post for the Matrix. And not just for our words, but we need to be aware of our virtual actions, the way we present ourselves, the images we post online.

Digital commerce is rapidly becoming the norm for shopping. It is so much more convenient, with better prices and more selection, than driving up the street to a small store and being forced to choose from their limited stock. But commerce online can be inhibited by a failure to properly present what you are selling. If you are unable to communicate the precise nature of what you offer, how do you expect anyone to purchase it? And how many times have we had to deal with a lack of communication between buyer and seller or with rude help desks that simply don’t seem interested in your lack of ability to understand what a particular website is unsuccessfully attempting to sell. We need to look at the bigger picture and not limit ourselves to a local mindset. Even if you are selling to a particular demographic or region, the ability to communicate your wares, your ideas, your skills, to a global audience will better present your product to a local audience.

We tend to think that we have a right to do whatever we like when we are online as if the Internet were some giant free-for-all. But our rights have to be tempered with responsibility. Our rights should never allow us to run roughshod over other people, nor allow us to bully or denigrate them. Speak freely certainly, but don’t yell fire in a crowded theater.

If we can learn to be better digital citizens in a World Wide ‘Globe’ we can increase our ability to collaborate with others. We can improve marketplaces and honest competitiveness between businesses. We can help others in ways and to degrees never before possible. We can change the world for the better.